How to: Re-sign Application and Deployment Manifests
Note
This article applies to Visual Studio 2015. If you're looking for the latest Visual Studio documentation, see Visual Studio documentation. We recommend upgrading to the latest version of Visual Studio. Download it here
After you make changes to deployment properties in the application manifest for Windows Forms applications, Windows Presentation Foundation applications (xbap), or Office solutions, you must re-sign both the application and deployment manifests with a certificate. This process helps ensure that tampered files are not installed on end user computers.
Another scenario where you might re-sign the manifests is when your customers want to sign the application and deployment manifests with their own certificate.
Re-signing the Application and Deployment Manifests
This procedure assumes that you have already made changes to your application manifest file (.manifest). For more information, see How to: Change Deployment Properties.
To re-sign the application and deployment manifests with Mage.exe
Open a Visual Studio Command Prompt window.
Change directories to the folder that contains the manifest files that you want to sign.
Type the following command to sign the application manifest file. Replace ManifestFileName with the name of your manifest file plus the extension. Replace Certificate with the relative or fully qualified path of the certificate file and replace Password with the password for the certificate.
mage -sign ManifestFileName.manifest -CertFile Certificate -Password Password
For example, you could run the following command to sign an application manifest for an add-in, a Windows Form application, or a Windows Presentation Foundation browser application. Temporary certificates created by Visual Studio are not recommended for deployment into production environments.
mage -sign WindowsFormsApplication1.exe.manifest -CertFile ..\WindowsFormsApplication1_TemporaryKey.pfx mage -sign ExcelAddin1.dll.manifest -CertFile ..\ExcelAddIn1_TemporaryKey.pfx mage -sign WpfBrowserApplication1.exe.manifest -CertFile ..\WpfBrowserApplication1_TemporaryKey.pfx
Type the following command to update and sign the deployment manifest file, replacing the placeholder names as in the previous step.
mage -update DeploymentManifest -appmanifest ApplicationManifest -CertFile Certificate -Password Password
For example, you could run the following command to update and sign a deployment manifest for an Excel add-in, a Windows Forms application, or a Windows Presentation Foundation browser application.
mage -update WindowsFormsApplication1.application -appmanifest WindowsFormsApplication1.exe.manifest -CertFile ..\WindowsFormsApplication1_TemporaryKey.pfx mage -update ExcelAddin1.vsto -appmanifest ExcelAddin1.dll.manifest -CertFile ..\ExcelAddIn1_TemporaryKey.pfx mage -update WpfBrowserApplication1.xbap -appmanifest WpfBrowserApplication1.exe.manifest -CertFile ..\WpfBrowserApplication1_TemporaryKey.pfx
Optionally, copy the master deployment manifest (publish\appname.application) to your version deployment directory (publish\Application Files\appname_version).
Updating and Re-signing the Application and Deployment Manifests
This procedure assumes that you have already made changes to your application manifest file (.manifest), but that there are other files that were updated. When files are updated, the hash that represents the file must also be updated.
To update and re-sign the application and deployment manifests with Mage.exe
Open a Visual Studio Command Prompt window.
Change directories to the folder that contains the manifest files that you want to sign.
Remove the .deploy file extension from the files in the publish output folder.
Type the following command to update the application manifest with the new hashes for the updated files and sign the application manifest file. Replace ManifestFileName with the name of your manifest file plus the extension. Replace Certificate with the relative or fully qualified path of the certificate file and replace Password with the password for the certificate.
mage -update ManifestFileName.manifest -CertFile Certificate -Password Password
For example, you could run the following command to sign an application manifest for an add-in, a Windows Form application, or a Windows Presentation Foundation browser application. Temporary certificates created by Visual Studio are not recommended for deployment into production environments.
mage -update WindowsFormsApplication1.exe.manifest -CertFile ..\WindowsFormsApplication1_TemporaryKey.pfx mage -update ExcelAddin1.dll.manifest -CertFile ..\ExcelAddIn1_TemporaryKey.pfx mage -update WpfBrowserApplication1.exe.manifest -CertFile ..\WpfBrowserApplication1_TemporaryKey.pfx
Type the following command to update and sign the deployment manifest file, replacing the placeholder names as in the previous step.
mage -update DeploymentManifest -appmanifest ApplicationManifest -CertFile Certificate -Password Password
For example, you could run the following command to update and sign a deployment manifest for an Excel add-in, a Windows Forms application, or a Windows Presentation Foundation browser application.
mage -update WindowsFormsApplication1.application -appmanifest WindowsFormsApplication1.exe.manifest -CertFile ..\WindowsFormsApplication1_TemporaryKey.pfx mage -update ExcelAddin1.vsto -appmanifest ExcelAddin1.dll.manifest -CertFile ..\ExcelAddIn1_TemporaryKey.pfx mage -update WpfBrowserApplication1.xbap -appmanifest WpfBrowserApplication1.exe.manifest -CertFile ..\WpfBrowserApplication1_TemporaryKey.pfx
Add the .deploy file extension back to the files, except the application and deployment manifest files.
Optionally, copy the master deployment manifest (publish\appname.application) to your version deployment directory (publish\Application Files\appname_version).
See Also
Securing ClickOnce Applications
Code Access Security for ClickOnce Applications
ClickOnce and Authenticode
Trusted Application Deployment Overview
How to: Enable ClickOnce Security Settings
How to: Set a Security Zone for a ClickOnce Application
How to: Set Custom Permissions for a ClickOnce Application
How to: Debug a ClickOnce Application with Restricted Permissions
How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications
How to: Configure the ClickOnce Trust Prompt Behavior